Method and device for managing resources with an external account

ABSTRACT

Method and device for managing cloud computing resources with an external account, the resources being associated with one or more internal main accounts. The method includes verifying an identity of the external account via a server, determining, if the identity of the external account is verified, whether a virtual sub-account is bound to the external account, the virtual sub-account being subordinate to an internal main account of the one or more internal main accounts, and allowing, if it is determined that the virtual sub-account is bound to the external account, the external account to manage the resources associated with the internal main account based on pre-configured rights of the virtual sub-account.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of priority from Chinese PatentApplication No. 201510487834.4 filed on Aug. 10, 2015, entitled “Methodand Apparatus for Operating Resources Based on External Accounts,” whichis incorporated herein by reference in its entirety.

BACKGROUND Field of the Disclosure

The present disclosure generally relates to improving resourcemanagement with an external account in cloud computing environments.

Description of the Related Art

In cloud computing scenarios, a user who applies for an internal mainaccount in the cloud computing platform and purchases a series of cloudresources from the platform based on an internal main account will thenneed to manage these cloud resources. In practice, the user mayauthorize someone who not only has time, but also has relevant technicalknowledge in managing the various cloud resources of the internal mainaccount, as the user may not have time or relevant technical knowledgeto do so. Also, different cloud resources may need to be managed bydifferent resource management staffs.

Many users prefer to manage the cloud resources of the internal mainaccount without giving the account name and the password to the resourcemanagement staff, so as to guarantee the safety of the internal mainaccount. A master-slave account system has been used in the prior art.This allows a sub-account with a user name and a password under theframework of the internal main account to be created in the sameplatform for the resource managing staff.

BRIEF SUMMARY

However, the master-slave account system in the prior art lacksflexibility as the operation rights are limited to one platform, andfurther limited to a sub-account of one internal main account.Especially for certain types of outsourced applications, for example, ifresource management staff takes over several cloud resource managementbusinesses from multiple users, they will need to remember the accountnames and the passwords of multiple sub-accounts. While logging in, itcan become an excessive burden on the staff to recall the account namesand the passwords of the sub-accounts corresponding to the internal mainaccounts. The account names and the passwords cannot be managed in aunified manner. This creates a burden requiring additional staff timeand resources and risks the use of simple or repeated passwords thussacrificing security.

In light of the above problems, the present disclosure provides methodsand devices for operating resources with an external account that canovercome the above and other problems in the present art.

According to some embodiments of the present disclosure, a method formanaging resources with an external account includes conducting anidentity verification of an external account via a server and querying avirtual sub-account bound to the external account if the identity of theexternal account has been verified, wherein each virtual sub-account issubordinate to an internal main account of the current platform. Themethod further includes allowing the external account to manage theresources of the internal main account based on pre-configured rights ofthe virtual sub-account when the virtual sub-account bound to theexternal account has been verified.

According to some embodiments of the present disclosure, a device formanaging resources with an external account includes (1) identityverification circuitry for conducting an identity verification of anexternal account via a server; (2) virtual sub-account queryingcircuitry for querying a virtual sub-account bound to the externalaccount if the identity of the external account has been verified,wherein each virtual sub-account is subordinate to an internal mainaccount of the current platform; and (3) resource management circuitryfor allowing the external account to manage the resources of theinternal main account based on pre-configured rights of the virtualsub-account when the virtual sub-account bound to the external accounthas been verified.

Compared with the prior art, the embodiments of the present disclosureyield, among others, the following advantages: in the variousembodiments of the disclosure, a virtual sub-account, which can be boundto an external account, but is not externally displayed, can be set upin any one internal main account of the current platform by the user. Ifthe resource managing staff member or members of the external accountwants to manage the cloud resources of the internal main account, theycan conduct identity verification of an external account via the serverand manage the resources of the internal main account based on therights pre-configured on the virtual sub-account through the bindingrelationship between the external account and the virtual sub-account ofthe internal main account if the identity of the external account hasbeen verified. Then, a resource managing staff member only needs toprovide a habitually used external account of one server to a user ofthe internal main account to create a virtual sub-account binding to theexternal account before they can operate resources of various internalmain accounts with one unified external account associated with multipleinternal main accounts, thereby easing the burden on the resourcemanaging staff and making the allocation of the managed resources moreflexible.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, features, and advantages of thedisclosure will be apparent from the following description ofembodiments as illustrated in the accompanying drawings, in whichreference characters refer to the same parts throughout the variousviews. The drawings are not necessarily to scale, emphasis instead beingplaced upon illustrating principles of the disclosure.

FIG. 1 presents a flow diagram illustrating a method for operatingresources with an external account according to some embodiments of thepresent disclosure.

FIG. 2 presents a flow diagram illustrating a method for conductingidentity verification of an external account via a server according tosome embodiments of the present disclosure.

FIG. 3 presents a flow diagram illustrating a method for operatingresources with an external account according to some embodiments of thepresent disclosure.

FIG. 4 presents a flow diagram illustrating method for operatingresources with an external account according to some embodiments of thepresent disclosure.

FIG. 5 presents a flow diagram of a method for operating resources withan external account according to some embodiments of the presentdisclosure.

FIG. 6 presents a block diagram of a device for operating resources withan external account according to some embodiments of the presentdisclosure.

FIG. 7 presents a block diagram of a device for operating resources withan external account according to some embodiments of the presentdisclosure.

FIG. 8 presents a block diagram of a device for operating resources withan external account according to some embodiments of the presentdisclosure.

FIG. 9 presents a block diagram of a device for operating resources withan external account according to some embodiments of the presentdisclosure.

DETAILED DESCRIPTION

The present disclosure will now be described more fully hereinafter withreference to the accompanying drawings, which form a part hereof, andwhich show, by way of illustration, certain example embodiments. Subjectmatter may, however, be embodied in a variety of different forms and,therefore, covered or claimed subject matter is intended to be construedas not being limited to any example embodiments set forth herein;example embodiments are provided merely to be illustrative. Likewise, areasonably broad scope for claimed or covered subject matter isintended. Among other things, for example, subject matter may beembodied as methods, devices, components, or systems. Accordingly,embodiments may, for example, take the form of hardware, software,firmware, or any combination thereof (other than software per se). Thefollowing detailed description is, therefore, not intended to be takenin a limiting sense.

Throughout the specification and claims, terms may have nuanced meaningssuggested or implied in context beyond an explicitly stated meaning.Likewise, the phrase “in one embodiment” as used herein does notnecessarily refer to the same embodiment and the phrase “in anotherembodiment” as used herein does not necessarily refer to a differentembodiment. It is intended, for example, that claimed subject matterinclude combinations of example embodiments in whole or in part.

These computer program instructions can be provided to a platform orprocessor of: a general purpose computer to alter its function to aspecial purpose; a special purpose computer; ASIC; or other programmabledigital data processing apparatus, such that the instructions, whichexecute via the processor of the computer or other programmable dataprocessing apparatus, implement the functions/acts specified in theblock diagrams or operational block or blocks, thereby transformingtheir functionality in accordance with embodiments herein.

For the purposes of this disclosure the term “server” should beunderstood to refer to a service point which provides processing,database, and communication facilities. By way of example, and notlimitation, the term “server” can refer to a single, physical processorwith associated communications and data storage and database facilities,or it can refer to a networked or clustered complex of processors andassociated network and storage devices, as well as operating softwareand one or more database systems and application software that supportthe services provided by the server. Servers may vary widely inconfiguration or capabilities, but generally a server may include one ormore central processing units and memory. A server may also include oneor more mass storage devices, one or more power supplies, one or morewired or wireless network interfaces, one or more input/outputinterfaces, or one or more operating systems, such as Windows Server,Mac OS X, Unix, Linux, FreeBSD, or the like.

For the purposes of this disclosure a “network” should be understood torefer to a network that may couple devices so that communications may beexchanged, such as between a server and a client device or other typesof devices, including between wireless devices coupled via a wirelessnetwork, for example. A network may also include mass storage, such asnetwork attached storage (NAS), a storage area network (SAN), or otherforms of computer or machine readable media, for example. A network mayinclude the Internet, one or more local area networks (LANs), one ormore wide area networks (WANs), wire-line type connections, wirelesstype connections, cellular or any combination thereof. Likewise,sub-networks, which may employ differing architectures or may becompliant or compatible with differing protocols, may interoperatewithin a larger network. Various types of devices may, for example, bemade available to provide an interoperable capability for differingarchitectures or protocols. As one illustrative example, a router mayprovide a link between otherwise separate and independent LANs.

The principles described herein may be embodied in many different forms.In the present disclosure, if the resource managing staff needs tomanage the resources of multiple internal main accounts, they canprovide a habitually used external account on a server to the users ofthese internal main accounts for binding the external account to theirown virtual sub-accounts. Then, the server of the external accountprovides an identity verification to the external account when theresource managing staff is logging in the current platform. If theexternal account has been verified, the resource managing staff canoperate the resources of the internal main account through the virtualsub-account with the internal main account based on the rightspre-allocated thereto. Therefore, if a resource managing staff canmanage the resources of the multiple internal accounts of the currentplatform with one commonly used external account, the administrativeburden on them will be eased. Moreover, applying the teachings herein,the configuration and operation of resources can be made more flexibleand more broadly applicable.

FIG. 1 presents a flow diagram illustrating a method for operatingresources with an external account according to some embodiments of thepresent disclosure.

In step 110, the method conducts an identity verification of an externalaccount via the server.

According to some embodiments, the present disclosure relates to thestructures of the client side, the current platform and the server ofthe external account. Certainly, the server of the external account canbe of various types as disclosed herein, as servers can be configured innumerous application specific ways. Taking the Ali cloud platform, byway of non-limiting example, an account in the Ali cloud platform, suchas alice@aliyun.com, is the internal main account. The server of theexternal account is different than the current platform, such as theservers: Sina website, Netease, Tencent, etc. For example, bob@sina.comis an external account of the Sina server. The external account servercan provide an identity verification process to the external accountbased on its existing account system. External account server mayinclude, or be communicatively coupled to, a verification server thatprovides one or more identity verification processes as described morefully herein.

Then, if the owner of the external account, such as the aforementionedstaff, wants to manage the resources in the internal account from thecurrent platform, such as the Ali cloud platform, identity verificationof the external account is conducted based on the client side and thecurrent platform, firstly, and then through the server of the externalaccount. If the identity of the external account has been verified, theprocess continues to Step S120.

If the identity of the external account fails to be verified, it meansthe login of the external account fails and the process ends. Inembodiments, the reasons for login failure can be displayed on theclient side if the identity of the external account fails to beverified, such as incorrect signature of the server of the externalaccount, etc.

As an example, suppose the owner of bob@sina.com wants to manage theresources of alice@aliyun.com. The owner can visit the login page of theAli cloud platform from the client side and send a request for identityverification to the Sina server from the login page.

The Sina server will provide an account input page to the client side inresponse to the identity verification request. The owner can then enterthe account name bob@sina.com and the password 123456 on the accountinput page displayed, and click OK.

The Sina server will conduct an internal verification of the accountname bob@sina.com and the password 123456 to authenticate whether theaccount name bob@sina.com exists and whether the password is correct. Ifboth the account name and the password pass verifications, it willreturn an identity verification result to the Ali cloud platform.

Upon parsing by the Ali cloud platform, if the returned result shows theverification of bob@sina.com succeeds, then the process proceeds to StepS120.

According to some embodiments of the present disclosure, Step S110 maycomprise the following sub-steps (FIG. 2).

In step S111, the method requests identity verification of an externalaccount via the server.

Take alice@aliyun.com, the internal main account of the Ali cloudplatform, and bob@sina.com, the external account of the Sina server, forexample.

If the owner of the external account bob@sina.com opens the login pageof the Ali cloud platform from the client side and wants to manage theresources of alice@aliyun.com, he sends a request for identityverification to the Sina server from the login page of the Ali cloudplatform.

The Sina server will provide an account input page to the client side ofthe owner after receiving the identity verification request. The ownercan enter the account name bob@sina.com and the password 123456 on theaccount input page displayed.

When the account name bob@sina.com and its password 123456 areauthenticated as valid by the Sina server, an identity verificationresult specific to bob@sina.com will be generated. The identityverification result comprises the external account bob@sina.com and thesignature of the server of the external account. In the present example,the signature is that of the Sina server. Then, the Sina server willreturn the identity verification result to the Ali cloud platform.

It will be recognized from the disclosure herein that the identityverification result can comprise other content as well; the presentapplication imposes no restrictions thereon.

The client can be a browser or other client side application or devicespecific app; the present disclosure imposes no restrictions withrespect to the client side implementation, as the teachings herein canbe applied to multiple client side platform types.

In step S112, the method verifies the server signature of the identityverification results returned by the external account server. If theserver signature has been verified, the process continues to step S113.

After receiving the above identity verification, the Ali cloud platformwill authenticate the server signature of the identity verificationresult. If the external account has been verified, it means bob@sina.comis an authentic external account accepted by Sina and Step S113 can bebegin. If the verification of server signature fails, it meansbob@sina.com might be a counterfeit external account with securityrisks, and then the login of the external account bob@sina.com will berejected.

It is understood that in embodiments of the present disclosure, theverification processes for the server signature under different identityverification protocols are different.

For example, for the SAML protocol, the public key of a wide variety ofexternal account types can be pre-obtained with regard to the currentplatform. After receiving the above identity verification result, thepublic key of the corresponding external account server can be extracteddirectly for authenticating the server signature of the identityverification result.

For the OpenID protocol, the verification process of the serversignature is similar to that of SAML protocol.

For the OAuth protocol, the server signature can be extracted from theabove identity verification result and sent to the correspondingexternal account server to inform the server to conduct signatureverification and return a security token to the current platform. Afterthe current platform receives the security token, the verification ofthe server signature is regarded as valid.

In step S113, the method determines that the external account of theidentity verification result is valid.

With regard to the identification verification result verified by theserver of the external account, the embodiment of the present examplecan determine that the external account is valid. For example, for thebob@sina.com, the Ali Cloud platform in the embodiment of the presentexample can determine that bob@sina.com can enter the subsequentprocesses.

According to some embodiments of the present disclosure, Step S110comprises conducting an identity verification of an external account viathe server through an identity verification protocol, including theOAuth protocol, the OpenID protocol, or the SAML protocol.

In the embodiment of the present example, an identity verificationprotocol is configured between the client side, the current platform andthe server of the external account, so that the client side can conductidentity verification for the external account through the server viathe current platform.

In the embodiment of the present example, the identity verificationprotocol can be one or more of the OAuth protocol, the SAML protocol, orthe OpenID protocol. For example, the OAuth protocol is used between theclient side, the Ali cloud platform and the server of Sina. The OpenIDprotocol is used between the client, the Ali cloud platform and theserver of Netease. The SAML protocol is used between the client side,the Ali cloud platform and the server of Netease. These variousprotocols can be utilized as applicable to the underlying platform towhich the management functions and structures described herein are beingapplied.

It is understandable that other identity verification protocols can beutilized in addition to the above-mentioned protocols in practicalapplication. The present disclosure imposes no restrictions on theparticular verification protocol applied.

In embodiments, the OAuth (Open Authorization) protocol provides a safe,open and simple standard for authorization of the user's resources. Theauthorization of the OAuth protocol is secure and will not expose theinformation of the account (such as account name and password) to athird party. The third party can obtain the authorization of the user'sresources without using the account name and the password of the user.

In the some embodiments of the present disclosure, the client of theowner is taken as the Client of the OAuth protocol, the Ali cloudplatform as the access side of the OAuth protocol and the server of theexternal account as the AS (Authorization Server) of the OAuth protocol.The client side sends an authorization request to the current platform.The current platform redirects to the server of the external account.The client side enters the user name and the password of the externalaccount on the server for verification, and it redirects to the currentplatform for subsequent operation if the external account has beenverified.

The SAML (Security Assertion Markup Language) protocol is a standardbased on XML and used for exchanging verification and authorization databetween different security domains.

In some embodiments of the present disclosure, the client side of theowner is the Subject of the SAML protocol. The current platform is theRelying Party and the server of the external account is the AssertingParty. The client side can send a request to the current platform foraccess authorization. Then, the current platform redirects the requestto the server of the external account. The server conducts identityverification for the external account and redirects it to the currentplatform for subsequent process if the external account has beenverified.

The OpenID protocol is a user-centered digital identity recognitionframework, characterized by openness and divergence.

In some embodiments of the present disclosure, the client side is theSubject of the User-staff of the OpenID protocol. The server of theexternal account is the OP (Identity provider or OpenID provider, beingthe provider of OpenID) and the current platform is the Relying Party.The external account is required to register a unique ID in the OPsystem of the server of the external account in advance, and then itredirects to the server after the owner clicking on the login interfaceof the OP. The owner can enter the user name and the password of theexternal account for verification; and the server can return theverification result to the current platform.

According to some embodiments of the present disclosure, prior to step110 additional steps may be executed as depicted in more detail in FIG.3.

In step S102, the method creates a virtual sub-account in the internalmain account having a user name and a password. The virtual sub-accountdoes not have a password for operating resources with an externalaccount.

In some embodiments of the present disclosure, the user of the internalmain account of the current platform can pre-create a virtualsub-account, e.g. “virtual_user”. The virtual_user has no login passwordand does not need to be displayed externally. Take the internal accountalice@aliyun.com, for example, the user of alice@aliyun.com with thepassword of 111111 can create a virtual sub-account virtual_user withinthe alice@aliyun.com space.

In step S103, the method allocates the operation rights to the virtualsub-account for operating the resources of the internal main account.

In some embodiments, one internal main account may have differentresources distributed in different folders and some of them cannot beexposed to the external resource managing staff. Then, the operationrights can be set for the resources in these folders. For example, set ascope of the folder that can be operated by the virtual sub-account andthe operation types, etc., wherein the operation types can be Read-only,Write-only, and Read-Write.

In step S104, the method binds the virtual sub-account to an externalaccount.

The created virtual sub-account can be bound to the external account ofthe resources managing staff selected by the user. For example, if theuser selects bob@sina.com, that user can bind the virtual_user ofalice@aliyun.com to bob@sina.com.

In some embodiments of the present disclosure, an external account maybe bound with the virtual sub-accounts of multiple internal mainaccounts. For example, bob@sina.com can also bound with the virtualsub-account of to m@aliyun.com.

In some embodiments of the present disclosure, multiple virtualsub-accounts may be created in each internal main account and eachvirtual sub-account may by bound with a different external account.

According to some embodiments of the present disclosure, after step S104the method may further include the following step.

In step S105, the method changes the current operation rights of thevirtual sub-account in the internal main account.

In some embodiments of the present disclosure, for easy controlling ofthe internal resources and the resources managed by the externalaccount, the user of the internal account may login in to the currentplatform with the internal main account and setup the resourcemanagement rights for the virtual sub-account bound to the externalaccount that needs to be controlled within the internal main accountspace.

It shall be noted that the resources of the internal account mentionedin the embodiments of the present application can be any digital data,such as statistical data, videos, documents, media files, or other typesor forms of digital data.

According to some embodiments of the present disclosure, after StepS104, the process may further include the following step.

In step S106, the method changes the current external account bound tothe virtual sub-account to another external account.

In some embodiments of the present disclosure, for an internal mainaccount, if a resources managing staff member of the external accountbound to a virtual sub-account asks for leave, or the user wants to hireanother staff member to take the place of the former member for managingthe resources, the user may desire to bind a different external accountto the virtual sub-account. The user may login in the current platformwith the user name and the password of the internal main account andchange the external account bound to the above virtual sub-account toanother external account.

Returning to FIG. 1, we complete the discussion of steps S120 and S130,which also completes the discussion of these steps in FIG. 3, which arethe same as the corresponding steps in FIG. 1, and are numberedaccordingly.

In step S120, the method queries whether the virtual sub-account isbound to the external account if the identity of the external accounthas been verified. Each virtual sub-account is subordinate to aninternal main account of the current platform.

In some embodiments of the present disclosure, the current platformrecords the one-to-one relationship between the internal main accountand the virtual sub-account and external account. For the authenticatedexternal account, it will inquire whether the above relationshipcorresponding to the external account exists. If there are multiplerelationships, it can be determined by resource managing staff. Forexample, if bob@sina.com is respectively bound with the virtualsub-accounts of both alice@aliyun.com and to m@aliyun.com, then theresource managing staff will be prompted to determine the desiredinternal main account.

If there is only one relationship, it can be determined by the resourcemanaging staff directly, or the virtual sub-account bound to theexternal account can be determined directly, and no prompting isrequired.

In step S130, the method allows the external account to operate theresources of the internal main account based on pre-configured rights ofthe virtual sub-account when the virtual sub-account bound to theexternal account has been verified.

When one virtual sub-account bound to the external account has beenverified by the resources managing staff, the current platform allowsthe resources managing staff to operate the resources of the aboveinternal main account based on the rights pre-configured on the abovevirtual sub-account when the internal main account bound to the externalaccount has been verified

In some embodiments of the present disclosure, the above virtualsub-account is only an internally maintained rights identity and is notdisplayed externally. Therefore, the client will not provide an inputinterface for the virtual sub-account. The virtual sub-account does notneed the password of the external account, because it does not have apassword either. Moreover, as in the embodiment of the present example,the input interface of the virtual sub-account will not be provided tothe client and thus login cannot be conducted with a virtual sub-accountalone, if logging in and managing the resources of the internal mainaccount is required, the virtual sub-account shall be bound to theexternal account, thus the resources of the internal main account can beoperated by logging in with the external account.

In some embodiments of the disclosure, a virtual sub-account, which canbe bound to an external account but not externally displayed, can be setup in any one internal main account of the current platform by the user.If the resource managing staff of the external account wants to managethe cloud resources of the above internal main account, they can conductidentity verification of an external account via the server and managethe resources of the internal main account based on the rightspre-configured on the virtual sub-account through the bindingrelationship between the external account and the virtual sub-account ofthe internal main account if the identity of the external account hasbeen verified. Then, a resource managing staff member or members onlyneeds to provide a habitually used external account of one server to auser of the internal main account to create a virtual sub-accountbinding to the external account before they can manage resources ofvarious internal main accounts with one unified external accountassociated with multiple internal main accounts, thereby easing theadministrative burden on the resource managing staff and making theallocation of the managed resources more flexible. It also avoids theneed to remember multiple complex passwords for the resources to bemanaged, thus improving security by avoiding the selection or use ofeasy to remember passwords or the need to record the passwords in somemanner thus increasing the risk of misappropriation. Thus theembodiments herein improve network security and flexibility of resourceadministration in cloud based systems.

FIG. 4 presents a flow diagram illustrating method for operatingresources with an external account according to some embodiments of thepresent disclosure.

In step S210, the method conducts an identity verification of anexternal account via the server.

In step S220, the method inquires whether the virtual sub-accounts ofall internal main accounts are bound to the external account if theidentity of the external account has been verified. Each virtualsub-account is subordinate to an internal main account of the currentplatform.

For example, for the external account bob@sina.com, it needs to bedetermined whether all of the internal main accounts in the currentplatform have a virtual sub-account bound to bob@sina.com. If so, aprompt box can be popped up to display all user names of the internalmain accounts, belonging to the virtual sub-account bound tobob@sina.com, for users to select. When the user selects an internalname, it means they have determined the virtual sub-account bound tobob@sina.com, and Step S230 can begin.

In step S230, the method allows the external account to manage theresources of the internal main account based on pre-configured rights ofthe virtual sub-account when the virtual sub-account bound to theexternal account has been verified.

In some embodiments of the present disclosure, without pre-determiningwhich internal main account is selected for managing the resources, theresource managing staff can directly send an identity verificationrequest to the server of the external account. The server will return anidentity verification result. After the result has been verified asvalid, the current platform will look for the relationships between theinternal main account and the virtual sub-account and external accountcorresponding to the external account and display each internal mainaccount in a box on the client side for the resource managing staff toselect. Selecting one of the internal main accounts means a virtualsub-account bound to the external account has been verified by the user.If none of the above relationships is determined, the user will benotified that no internal main account is bound to the external account.In the embodiments of the present example, it can directly jump to theserver of the external account through the current platform for identityverification without pre-entering the user name of the internal mainaccount by the user. Then, the current platform can directly provide thevirtual sub-accounts bound to the external account to the user forselection, which has facilitated the operation of the user with theexternal account.

FIG. 5 presents a flow diagram of a method for operating resources withan external account according to some embodiments of the presentdisclosure.

In step S310, the method determines the target internal main account.

The user can enter the name of the target internal main account in thelogin page of the current platform in advance. For example, they canenter alice@aliyun.com on the login page and click on the identityverification interface to jump to Step 320.

In step S320, the method conducts an identity verification of anexternal account via the server.

In step S330, the method inquires whether the virtual sub-accounts ofall internal main accounts are bound to the external account if theidentity of the external account has been verified. Each virtualsub-account is subordinate to an internal main account of the currentplatform.

As a non-limiting example, if the identity verification of the externalaccount bob@sina.com is verified, the embodiment of the present examplecan directly inquire whether the virtual sub-account of alice@aliyun.comis bound to bob@sina.com. If alice@aliyun.com has a virtual sub-accountbound to bob@sina.com, then it shall confirm the virtual sub-account isbound to the external account and proceed to Step S340.

In step S340, the method allows the external account to manage theresources of the internal main account based on pre-configured rights ofthe virtual sub-account when the virtual sub-account bound to theexternal account has been verified.

In some embodiments of the present disclosure, the resource managingstaff can determine which internal main account is selected foroperating the resources in advance, for example, determiningalice@aliyun.com directly, and then sending an identity verificationrequest to the server of the external account. After the identityverification result returned by the server has been verified as valid,the current platform will look for the relationships between theinternal main account and the virtual sub-account and external accountcorresponding to alice@aliyun.com and determine if the virtualsub-account is bound to the external account, if the relationship can beidentified. If none of the above relationships are found, the user willbe notified that no internal main account is bound to the externalaccount. In the embodiment of the present example, the target internalmain account can be determined in advance; therefore, purposeful inquirycan be carried out as to whether the external account is bound to avirtual sub-account of the target internal account if the identity ofthe external account has been verified, which results in a more rapidprocessing speed of resource management functions and thus can savesystem resources.

For the purposes of this disclosure a module, unit, or circuitry is asoftware, hardware, or firmware (or combinations thereof) system,process or functionality, or component thereof, that performs orfacilitates the processes, features, and/or functions described herein(with or without human interaction or augmentation). A module caninclude sub-modules; and a unit can comprise a sub-unit. Softwarecomponents of a module/unit may be stored on a computer readable mediumfor execution by a processor. Modules/units may be integral to one ormore servers or devices, or be loaded and executed by one or moreservers/devices. One or more modules may be grouped into an engine or anapplication. Thus, devices according to embodiments of the presentdisclosure may be integrated as a single device or distributed, and mayinclude software, hardware, or firmware, and combinations thereof.

FIG. 6 presents a block diagram of a device for managing resources withan external account according to some embodiments of the presentdisclosure. The device 400 for managing resources with an externalaccount includes the following modules.

Identity verification module 410 conducts identity verification of anexternal account via a server.

Virtual sub-account inquiry module 420 queries whether the virtualsub-account is bound to the external account, if the identity of theexternal account has been verified. Each virtual sub-account issubordinate to an internal main account of the current platform.

Resource management module 430 allows the external account to manage theresources of the internal main account based on pre-configured rights ofthe virtual sub-account when the virtual sub-account bound to theexternal account has been verified.

According to some embodiments of the present disclosure (FIG. 7), aresource management device 450 may include an identity verificationmodule 460 which performs the same functions as the above identityverification module 410, and further includes the following.

Identity verification request module 461 requests an identityverification for an external account via the server.

Signature verification module 462 verifies the server signature of theidentity verification results returned by the external account server.

External account confirmation module 463 determines that the externalaccount of the identity verification results has been verified, if theserver signature has been verified.

According to some embodiments of the present disclosure, the resourcemanagement device 450 may also include the following.

Virtual sub-account creating module 451 creates a virtual sub-account inthe internal main account having a user name and a password. The virtualsub-account does not have a password for operating resources with anexternal account.

Rights allocating module 452 allocates management rights to the virtualsub-account for managing the resources of the internal main account.

Binding module 453 binds a virtual sub-account to an external account.

According to some embodiments of the present disclosure, the resourcemanagement device 450 may further include a rights changing module 454,which changes the current management rights of the virtual sub-accountin the internal main account.

According to some embodiments of the present disclosure, the resourcemanagement device 450 may further include a bound object changing module455 which changes the current external account bound to the virtualsub-account to another external account.

According to some embodiments of the present disclosure, the identityverification module 460 further includes a first identity verificationmodule 464 which conducts an identity verification of an externalaccount via the server through an identity verification protocol, forexample, the OAuth protocol, the SAML protocol, or the OpenID protocol.

FIG. 8 presents a block diagram of a device for operating resources withan external account according to some embodiments of the presentdisclosure.

The resource management device 500 for managing resources with anexternal account includes the following components.

Identity verification module 510 conducts identity verification of anexternal account via a server. The identity module 510 may beconfigured, for example, as in the previous embodiments' identityverification modules 410 or 460.

Virtual sub-account inquiry circuitry 520 is configured to perform thefunctions of the virtual sub-account inquiry module 420 as describedabove, and additionally includes a first inquiry module 521 whichqueries whether the virtual sub-accounts of all internal main accountsare bound to the external account, if the identity of the externalaccount has been verified. Each virtual sub-account is subordinate to aninternal main account of the current platform.

Resource management module 530 allows the external account to operatethe resources of the internal main account based on pre-configuredrights of the virtual sub-account when the virtual sub-account bound tothe external account has been verified.

FIG. 9 is a schematic block diagram illustrating a non-limitingembodiment of a device for operating resources with an external accountaccording to some embodiments of the present disclosure.

The resource management device 600 for managing resources with anexternal account includes the following components.

Target internal main account confirmation module 610 determines thetarget internal main account.

Identity verification module 620 conducts identity verification of anexternal account via a server.

Virtual sub-account inquiry module 630 performs the functions of thevirtual sub-account inquiry circuitry 420 as described above, andadditionally includes a specified inquiry module 631, for inquiringwhether the virtual sub-accounts of all internal target accounts arebound to the external account. Each virtual sub-account is subordinateto an internal main account of the current platform.

Resource management module 640 allows the external account to operatethe resources of the internal main account based on pre-configuredrights of the virtual sub-account when the virtual sub-account bound tothe external account has been verified.

Each embodiment in the Description, described in a progressive manner,describes alternative or similar or interchangeable embodiments, thusfor similar and/or identical parts between embodiments, these can beunderstood by cross-referencing each other.

A person skilled in the art shall understand that the embodiments of thepresent application may be provided as a method, a device or a computerprogram product. Therefore, the embodiments of the present applicationcan adopt the forms as full hardware embodiments, full softwareembodiments or combining combination of both software and hardware.Moreover, the embodiments of the present application can adopt the formof a computer program product applied in one or more available computerstorage media (including, but not limited to, disk memories, CD-ROMs,optical memories, etc.) containing computer readable program codes.

In one typical configuration, the computer equipment forming thecomputers, devices and/or servers described herein comprise one or morecentral processing units (CPU), I/O interfaces, network interfaces andinternal or externally accessible memories. The memories may comprisethe volatile memory, the random access memory (RAM) and/or thenonvolatile RAM of the computer readable medium, such as read-onlymemory (ROM) or flash RAM. The internal memory is an example of thecomputer readable media. The computer readable media refers to physicalor tangible storage (as opposed to signals), and may comprise permanentand non-permanent, portable or non-portable media and can store datawith any method or technology. The data can be computer readablecommands, data structures, program modules or other data. The storagemedia includes, but is not limit to, phase change memory (PRAM), staticrandom access memory (SRAM), dynamic random access memory (DRAM), othertypes of random access memory (RAM), read-only memory (ROM),electrically erasable programmable read-only memory (EEPROM), flashmemory or other memory technology, compact disc read-only memory(CD-ROM), digital versatile disc (DVD) or other optical storage,magnetic cassette tape, tape/disk memory or other magnetic storagedevice or other non-transmission medium for storing the signals that canbe accessed by computer equipment. According to the definitions herein,unless specifically set forth, the computer readable media do notinclude transitory media, such as data signal and carrier wave.

The embodiments of the present application are described according tothe method and the terminal equipment (system) of the embodiments of thepresent application and the process diagram and/or block diagram of thecomputer program product. It shall be understood that each process inthe process diagram and/or block diagram and/or process and/or block ofthe flow diagram and/or block diagram can be combined and implemented bythe computer program commands. These computer program commands can beprovided to the CPU of a general-purpose computer for appropriateprogramming, a special-purpose computer, the embedded processor or otherprogrammable data-processing terminal equipment for generating amachine, so that the commands executed by the CPU of the computer orother programmable data-processing terminal equipment can form a devicefor realizing the functions specified by one process or processes in theprocess diagram and/or one block or blocks in the block diagram. In somealternate implementations, the functions/acts noted in the blocks canoccur out of the order noted in the operational illustrations. Forexample, two blocks shown in succession can in fact be executedsubstantially concurrently or the blocks can sometimes be executed inthe reverse order, depending upon the functionality/acts involved.

The computer program commands can also be stored in the computerreadable memory that can guide the computer or the other programmabledata-processing terminal equipment to operate in a particular way, sothat the commands can form a product comprising a command device thatcan realize the functions specified by one process or processes in theprocess diagram and/or one block or blocks in the block diagram.

These computer program commands can also be loaded into the computer orother programmable data-processing terminal equipment for executing aseries of operation steps to generate the realized process, so that thecommands executed by the CPU of the computer or other programmabledata-processing terminal equipment can provide the steps for realizingthe function specified by one process or processes in the processdiagram and/or one block or blocks in the block diagram.

Although the preferred embodiments of the present application aredescribed herein, a person skilled in the art can alter or modify theembodiments once the basic concepts of inventiveness are made known.Therefore, the Claims herein are intended to be interpreted ascomprising the preferred embodiments and all alterations andmodifications that fall into the scope of the Embodiments of the presentapplication.

Lastly, it shall be noted that the terms “first”, “second” and the liketherein are only provided to distinguish one physical part or oneoperation from another, and it does not necessarily require or implythat these physical parts or operations have such actual relationshipsor are in such order. Moreover, the terms “including”, “comprising” orany other such variants are intended to express the meaning ofnon-exclusive comprising, so that the process, method, articles orterminal equipment may include a series of elements and are not limitedby these elements, and may also include the elements that have not beenexplicitly listed, or the elements that are intrinsic to the process,the method, the articles or the terminal equipment. Without furtherspecification, the element specified by the term “including a . . . ”does not exclude that other elements also exist in the process, themethod, the article or the terminal equipment that include the elements.

The method and the device for operating resources with an externalaccount provided by the present application are illustrated with detailsas above. The specific cases are used for explaining the principles andembodiments of the present application therein; the descriptions ofabove embodiments are merely for facilitating the understanding of themethod and the core ideas of the present application; meanwhile, for aperson skilled in the art, the specific embodiments and the scope of theapplication both may change based on the ideas of the presentapplication. In conclusion, the content of the Description shall not beinterpreted as restrictions to the present application.

What is claimed is:
 1. A method for managing cloud computing resources,the method comprising: requesting, using an identity verificationprotocol, an identity verification for an external account via averification server, the identity verification comprising an identifierof the external account and a verification server signature; verifyingthe verification server signature returned by the verification server;determining that the identity of the external account is verified if theserver signature is verified; if the identity of the external account isverified, determining whether a virtual sub-account is bound to theexternal account, the virtual sub-account having pre-configured rightsto manage the cloud computing resources, the cloud computing resourcesbeing associated with one or more internal main accounts, the virtualsub-account being subordinate to one of the one or more internal mainaccounts the determining whether the virtual sub-account is bound to theexternal account comprising: querying whether any virtual sub-accountssubordinate to the one or more internal main accounts are bound to theexternal account, wherein each of the one or more internal main accountshas at least one subordinate virtual sub-account; and if it isdetermined that the virtual sub-account is bound to the externalaccount, allowing the external account to manage the cloud computingresources associated with the internal main account based on thepre-configured rights of the virtual sub-account.
 2. The methodaccording to claim 1, further comprising: creating the virtualsub-account subordinate to the internal main account, the internal mainaccount having a user name and a password, and the virtual sub-accountnot having a password for managing resources with the external account;allocating management rights to the virtual sub-account aspre-configured rights for managing the resources of the internal mainaccount; and binding the virtual sub-account to the external account. 3.The method according to claim 2, further comprising: modifying thepre-configured rights of the virtual sub-account in the internal mainaccount, wherein the modifying the pre-configured rights is after theallocating.
 4. The method according to claim 2, further comprising:second binding the virtual sub-account to another external account afterthe step of binding.
 5. The method according to claim 1, wherein in theverifying the identity of the external account, if the identity is notverified via the external account, a cause of login failure isdisplayed.
 6. The method according to claim 1, wherein the identityverification protocol includes at least one of an OAuth protocol, a SAMLprotocol, and an OpenID protocol.
 7. The method according to claim 1,wherein the determining whether the virtual sub-account is bound to theexternal account comprises: querying whether a virtual sub-account of atarget account of the one or more internal main accounts is bound to theexternal account, wherein each of the one or more internal main accountshas at least one subordinate virtual sub-account.
 8. A device formanaging cloud computing resources, the device comprising: one or moreprocessors; a network interface; and a memory storingcomputer-executable instructions executable by the one or moreprocessors, the instructions causing the device to: request, using anidentity verification protocol, an identity verification for an externalaccount via a verification server, the identity verification comprisingan identifier of the external account and a verification serversignature; verify the verification server signature returned by theverification server; determine that the identity of the external accountis verified if the server signature is verified; if the identity of theexternal account is verified, determine whether a virtual sub-account isbound to the external account, the virtual subaccount havingpre-configured rights to manage the cloud computing resources, the cloudcomputing resources being associated with one or more internal mainaccounts, the virtual sub-account being subordinate to one of the one ormore internal main accounts, the determining whether the virtualsub-account is bound to the external account comprising: queryingwhether any virtual sub-accounts subordinate to the one or more internalmain accounts are bound to the external account, wherein each of the oneor more internal main accounts has at least one subordinate virtualsub-account; and if it is determined that the virtual sub-account isbound to the external account, allow the external account to manage thecloud computing resources associated with the internal main accountbased on the pre-configured rights of the virtual sub-account.
 9. Thedevice according to claim 8, the instructions further causing the deviceto: create the virtual sub-account subordinate to the internal mainaccount, the internal main account having a user name and a password,and the virtual sub-account not having a password for managing resourceswith the external account; allocate management rights to the virtualsub-account as pre-configured rights for managing the resources of theinternal main account; and bind the virtual sub-account to the externalaccount.
 10. The device according to claim 9, the instructions furthercausing the device to: modify the pre-configured rights of the virtualsub-account in the internal main account, wherein the modifying thepre-configured rights is after the allocating.
 11. The device accordingto claim 9, the instructions further causing the device to: second bindthe virtual sub-account to another external account after theinstruction to bind.
 12. The device according to claim 8, wherein in theinstruction to verify the identity of the external account, if theidentity is not verified via the external account, a cause of loginfailure is displayed.
 13. The device according to claim 8, wherein theidentity verification protocol includes at least one of an OAuthprotocol, a SAML protocol, and an OpenID protocol.
 14. The deviceaccording to claim 8, wherein the instruction to determine furthercauses the device to: query whether a virtual sub-account of a targetaccount of the one or more internal main accounts is bound to theexternal account, wherein each of the one or more internal main accountshas at least one subordinate virtual sub-account.
 15. A non-transitorycomputer-readable storage medium storing computer-executableinstructions that when executed by a processor, cause the processor toperform a method for managing cloud computing resources, the methodcomprising requesting, using an identity verification protocol, anidentity verification for an external account via a verification server,the identity verification comprising an identifier of the externalaccount and a verification server signature; verifying the verificationserver signature returned by the verification server; determining thatthe identity of the external account is verified if the server signatureis verified; if the identity of the external account is verified,determining whether a virtual sub-account is bound to the externalaccount, the virtual subaccount having pre-configured rights to managethe cloud computing resources, the cloud computing resources beingassociated with one or more internal main accounts, the virtualsub-account being subordinate to one of the one or more internal mainaccounts, the determining whether the virtual sub-account is bound tothe external account comprising: querying whether any virtualsub-accounts subordinate to the one or more internal main accounts arebound to the external account, wherein each of the one or more internalmain accounts has at least one subordinate virtual sub-account; and ifit is determined that the virtual sub-account is bound to the externalaccount, allowing the external account to manage the cloud computingresources associated with the internal main account based on thepre-configured rights of the virtual sub-account.
 16. The non-transitorycomputer-readable storage medium according to claim 15, the methodfurther comprising: creating the virtual sub-account subordinate to theinternal main account, the internal main account having a user name anda password, and the virtual sub-account not having a password formanaging resources with the external account; allocating managementrights to the virtual sub-account as pre-configured rights for managingthe resources of the internal main account; and binding the virtualsub-account to the external account.
 17. A method for managing cloudcomputing resources, the method comprising: receiving an identityverification result of an external account returned by a verificationserver, the verification result comprising an identifier of the externalaccount and a verification server signature; verifying the verificationserver signature returned by the verification server; determiningwhether a virtual sub-account is bound to the external account, thevirtual sub-account having pre-configured rights to manage the cloudcomputing resources, the cloud computing resources being associated withone or more internal main accounts, the virtual sub-account beingsubordinate to one of the one or more internal main accounts, thedetermining whether the virtual sub-account is bound to the externalaccount comprising: querying whether any virtual sub-accountssubordinate to the one or more internal main accounts are bound to theexternal account, wherein each of the one or more internal main accountshas at least one subordinate virtual sub-account; and if it isdetermined that the virtual sub-account is bound to the externalaccount, allowing the external account to manage the cloud computingresources associated with the internal main account based on thepre-configured rights of the virtual sub-account.